#arp #man-in-the-middle #arp-cache-poisoning

app arp-spoofer

A command-line tool to easily run a man-in-the-middle attack leveraging ARP cache poisoning

1 stable release

1.0.0 Dec 28, 2022

#1797 in Command line utilities

MIT license

67KB
457 lines







arp-spoofer

A command-line tool to easily run a man-in-the-middle attack leveraging ARP cache poisoning.

Build Status CodeFactor DeepSource

Current version: 1.0.0

📋 Table of content

🚀 Install

cargo install arp-spoofer

🔰 Description

This command-line tool has been primarily built for educational purposes and as a mean to develop a meaningful project in order to learn Rust. It is by no means production material, but has meaningful comments throughout the code to document the different steps and design decisions made to build this tool.

arp-spoofer is a portable, synchronous ARP cache poisoning command-line tool written in Rust that provides an easy way to perform man-in-the-middle attack on a local Ethernet-based network segment. It only requires the IP address of the target to attack, and the IP address of the default gateway on the network.

An ARP cache poisoning attack leverages design weaknesses in the ARP protocol with which an attacker can corrupt the ARP cache of remote victims by abusing Victim's ARP caches, making victims believe that the attacker's IP address is associated with the MAC address of a different computer. Therefore, by sending specially crafter ARP packets on an Ethernet-based local area network, it is relatively easy to deceive victims and have them sending all their packets to the attacker's computer instead of the default network gateway.

Below is a simplified representation of how an attacker poisons the cache of the victim and the gateway and how the traffic flows between the different elements when IPv4 forwarding is enabled.

sequenceDiagram
  Attacker->>Victim: Gateway IP is at Attacker MAC
  Note over Attacker,Victim: Victim ARP Cache Poisoning
  Attacker->>Gateway: Victim IP is at Attacker MAC
  Note over Attacker,Gateway: Gateway ARP Cache Poisoning
  Victim--)Attacker: Traffic intended for the Gateway
  Gateway--)Attacker: Traffic intended for the Victim
  Attacker--)Victim: Forwarding of the Victim Traffic
  Note over Attacker,Victim: When IPv4 forwarding is enabled
  Attacker--)Gateway: Forwarding of the Gateway Traffic
  Note over Attacker,Gateway: When IPv4 forwarding is enabled

📘 Usage

The usage of arp-spoofer is quite easy, the only information that needs to be supplied are :

  • The local network interface to use to perform the attack.
  • The IP address of the victim.
  • The IP address of the default network gateway.

Note that the ARP cache of both the victim and the default network gateway will be altered when running this tool. By interrupting the tool by pressing ctrl-c, it will attempt to restore the ARP cache of both the victim and the default network gateway to their original values.

Attacking a remote host

You can initiate an attack by running arp-spoofer as shown below.

arp-spoofer \
  --interface <network-interface> \
  --target <victim-ip> \
  --gateway <gateway-ip>

arp-spoofer will automatically attempt to resolve the MAC address of both the victim and default network gateway by issuing legitimate ARP requests on the network. It will then craft spoofed ARP packets to poison the cache of the victim - tricking it into believing the attacker is the default gateway - and of the gateway - tricking it into believing the attacker is the victim. This way all bi-directional traffic from the victim to the gateway (and from the gateway to the victim) will transit via the attacker's network interface.

You can monitor the packets from the victim in transit via the attacker's network interface using a tool such as Wireshark.

📦 Dependencies

Below is a list of the main external crates which arp-spoof depends on.

Name Version Description
pnet 0.31.0 libpnet is used as a way to build, send and receive packets on the datalink layer.
clap 4.0.32 clap is used as a command-line argument management library.
indicatif 0.17.2 indicatif is used as a console output management library.
ctrlc 3.2.4 ctrlc is used to portably register hooks on ctrl-c.

👀 See Also

Dependencies

~7–17MB
~211K SLoC